From: [EMAIL PROTECTED] Operating system: Linux PHP version: 4.0.4pl1 PHP Bug Type: Feature/Change Request Bug description: Selectable option for PHP_AUTH_PW I am currently running Apache-1.3.17 with php-4.0.4pl1 . It appears that when I am using Apache's own mod_auth with .htaccess and .htpasswd authentication, PHP will store the password from Apache into the PHP_AUTH_PW variables. Thou it is useful somethings, it also creates a security problem in the following situation. access to http://www.abc.com is limited to users who each have their own unique username/password. http://www.abc.com/apps1 is developed and maintained by groupA http://www.abc.com/apps2 is developed and maintained by groupB Any malicious developer in groupA or B will be able to silently steal the user's password when they access either apps1 or apps2 without the user knowing by just saving the values found in PHP_AUTH_USER and PHP_AUTH_PW . The malicious developer can then use the saved password to assume the identity of the original user and access the website to perform functions without the original user knowing. Hence I am wondering if it will be possible to have a configuration directive that can select whether PHP_AUTH_PW will store the external password when external authentication modules like mod_auth are used. -- Edit Bug report at: http://bugs.php.net/?id=9022&edit=1 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
